From caf1f12f043ac5527a4e55f5fefbfe3ad97ee2e0 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <fox@bah.spb.su>
Date: Sat, 17 May 2008 04:03:03 +0100
Subject: disallow ; in labels

---
 modules/pref-labels.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'modules/pref-labels.php')

diff --git a/modules/pref-labels.php b/modules/pref-labels.php
index e9e6ee860..3582f42eb 100644
--- a/modules/pref-labels.php
+++ b/modules/pref-labels.php
@@ -87,6 +87,8 @@
 			$expr = trim($_GET["expr"]);
 			$descr = db_escape_string(trim($_GET["descr"]));
 
+			$expr = str_replace(";", "", $expr);
+
 			if (!$expr) {
 				print "<div>Error: SQL expression is blank.</div>";
 				return;
@@ -159,7 +161,9 @@
 			$sql_exp = db_escape_string(trim($_GET["sql_exp"]));
 			$descr = db_escape_string(trim($_GET["description"]));
 			$label_id = db_escape_string($_GET["id"]);
-			
+
+			$sql_exp = str_replace(";", "", $sql_exp);
+
 			$result = db_query($link, "UPDATE ttrss_labels SET 
 				sql_exp = '$sql_exp', 
 				description = '$descr'
@@ -189,6 +193,8 @@
 			$sql_exp = db_escape_string(trim($_GET["sql_exp"]));
 			$description = db_escape_string($_GET["description"]);
 
+			$sql_exp = str_replace(";", "", $sql_exp);
+
 			if (!$sql_exp || !$description) return;
 
 			$result = db_query($link,
-- 
cgit v1.2.3